A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Millions of bank loan and mortgage documents have leaked online (TechCrunch, Jan 30 2019)
A trove of more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., has been found online after a server security lapse.

Massive mortgage and loan data leak gets worse as original documents also exposed (TechCrunch, Jan 30 2019)
It turns out that data was exposed again — but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see — and download — the files stored inside.

Aligning to the NIST Cybersecurity Framework in the AWS Cloud (AWS Security Blog, Jan 24 2019)
The updated guide, NIST Cybersecurity Framework (CSF): Aligning to the NIST CSF in the AWS Cloud, is designed to help commercial and public sector entities of any size and in any part of the world align with the CSF by leveraging AWS services and resources.

Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Vulnerable cloud infrastructure experiencing increasing attacks (Help Net Security, Jan 25 2019)
The attacks are automated and probe the infrastructure and cloud services for vulnerabilities and/or weak or default login credentials.

Pentagon stands by finding of no conflict of interest in JEDI RFP process (TechCrunch, Jan 25 2019)
A line in a new court filing by the Department of Defense suggests that it might reopen investigation into a possible conflict of interest interest in the JEDI contract RFP process involving a former AWS employee.

Thieves’ names and descriptions made public on B&Q database (Naked Security – Sophos, Jan 29 2019)
An exposed Elasticsearch instance gave up information on around 70,000 shoplifters, according to Australian security researcher Lee Johnstone.

Enterprises are struggling with cloud complexity and security (Help Net Security, Jan 30 2019)
As organizations embrace new technologies, such as multi-cloud deployments, they are struggling to implement proper data security.

How to quickly find and update your access keys, password, and MFA setting using the AWS Management Console (AWS Security Blog, Jan 24 2019)
You can now more quickly view and update all your security credentials from one place using the “My Security Credentials” page in the AWS Management Console. When you grant your developers programmatic access or AWS Management Console access, they receive credentials, such as a password or access keys, to access AWS resources.

Regulatory compliance dashboard in Azure Security Center now available (Microsoft Azure Blog, Jan 24 2019)
Azure Security Center now helps streamline this process of meeting compliance standards with the new regulatory compliance dashboard, recently released to public preview.

DevSecOps: Old Security Bugs Still Performing New Tricks (DevOps, Jan 25 2019)
One of the oldest and most used JavaScript libraries is jQuery, an open source resource that helps with everything from event handling, to DOM tree traversal and manipulation, to generating animations. It’s quite a workhorse, and has been used for many years. People assume that because the library is so established at this point, that it must have been completely vetted, with any vulnerabilities removed. Sadly, this is not the case.

FaceTime Bug an AppSec Fail (Dark Reading, Jan 29 2019)
Apple has shut off Group FaceTime while it prepares a fix for a newly found security flaw found by a 14-year-old gamer.

Video platform Dailymotion takes steps to contain credential stuffing attack (SC Magazine, Jan 29 2019)
Attackers have launched an ongoing credential stuffing campaign against the online video streaming service Dailymotion, compromising the data of an unspecified number of users in the process.

Google Takes Its First Steps Toward Killing the URL (Wired, Jan 29 2019)
Google wants to get rid of URLs. But first, it needs to show you why.